NAI Comparison: 


Generally, the law will go into 
effect March 31, 2024 for 
covered entities, and June 
30, 2024 for small 
businesses. 


However, the geofencing 
prohibition will go into effect 
July 22, 2023. 


"Regulated entity" means 
any legal entity that: 


(a) Conducts business in 
Washington, or produces or 
provides products or services 
that are targeted to 
consumers in Washington; 
and 


(b) alone or jointly with 
others, determines the 
purpose and means of 
collecting, processing, 
sharing, or selling of 
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Effective March 31, 2024 


“Regulated entity” means 
any person who: 


1. Conducts business in 
this State or produces or 
provides products or 
services that are targeted 
to consumers in this 
State; 

and 

2. Alone or with other 
persons, determines the 
purpose and 

means of processing, 
sharing or selling consumer 
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CT NY (Sec. 2 only) 


Provisions re: consumer July 2, 2023 
health data will go into 


effect July 1, 2023. 


Sections pertaining to 
consumer health data apply 
to persons that 

conduct business in this 
state and persons that 
produce products or 
services that are targeted to 
residents of this state. 


General Applicability 


(Sec. 2(a)(2)) 


NAI Comparison: 


consumer health data. 


(Sec. 3(23)) 


"Consumer health data" 
means personal information 
that is linked or reasonably 
linkable to a consumer and 
that identifies the consumer's 
past, present, or future 
physical or mental health 
status. 


(b) For the purposes of this 
definition, physical or mental 
health status includes, but is 
not limited to: 


(i) Individual health 
conditions, treatment, 
diseases, or 

Diagnosis; 

(ii) Social, psychological, 
behavioral, and medical 
Interventions; 

(iii) Health-related surgeries 
or procedures; 
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NV 
health data. 


(Sec. 15)) 


“Consumer health data” 
means personally 
identifiable information that 
is linked or reasonably 
capable of 

being linked to a 
consumer and that a 
regulated entity uses to 
identify the past, present 
or future health status of 
the consumer. 


The term: 
1. Includes, without 
limitation: 


(a) Information relating to: 
(1) Any health condition or 
status, disease or 
diagnosis; 

(2) Social, psychological, 
behavioral or medical 
interventions; 
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"Consumer health data" 
means any personal data 
that a controller 

uses to identify a 
consumer's physical or 
mental health condition or 
diagnosis, and includes, but 
is not limited to, 
gender-affirming health 
data and reproductive or 
sexual health data. 


This amendment makes 
“consumer health data” a 
subset of sensitive 
information. 


(Sec. 1(9)) 
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(iv) Use or purchase of 
prescribed medication; 

(v) Bodily functions, vital 
signs, symptoms, or 
measurements of the 
information described in this 
subsection (8)(b); 

(vi) Diagnoses or diagnostic 
testing, treatment, or 
medication; 

(vii) Gender-affirming care 
information; 

(viii) Reproductive or sexual 
health information; 

(ix) Biometric data; 

(x) Genetic data; 

(xi) Precise location 
information that could 
reasonably indicate a 
consumer's attempt to 
acquire or receive health 
services or 

Supplies; 

(xii) Data that identifies a 
consumer seeking health 
care 

services; or 
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(3) Surgeries or other 
health-related procedures; 
(4) The use or acquisition 
of medication; 

(5) Bodily functions, vital 
signs or symptoms; 

(6) Reproductive or sexual 
health care; and 

(7) Gender-affirming care; 


(b) Biometric data or 
genetic data related to 
information 

described in paragraph (a); 


(c) Information related to 
the precise geolocation 
information 

of a consumer that a 
regulated entity uses to 
indicate an attempt 

by a consumer to receive 
health care services or 
products; and 


(d) Any information 
described in paragraph (a), 
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(xiii) Any information that a (b) or (c) that 

regulated entity or a small is derived or extrapolated 

business, or their respective | from information that is 

processor, processes to not consumer 

associate or health data, including, 

identify a consumer with the | without limitation, proxy, 

data described in (b)(i) derivative, 

through (xii) of this inferred or emergent data 

subsection that is derived or | derived through an 

extrapolated from nonhealth | algorithm, machine 

information (such as proxy, learning or any other 

derivative, inferred, or means. 

emergent data by 

any means, including Does not include 

algorithms or machine information that is used to: 

learning). (a) Provide access to or 
enable gameplay by a 

(Sec. 3(8)) person on a video game 
platform; or 
(b) Identify the shopping 
habits or interests of a 
consumer, if that 
information is not used to 
identify the specific past, 
present or future health 
status of the consumer. 
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"Health care services" 
means any service provided 
to a person to assess, 
measure, improve, or learn 
about a person's mental 

or physical health, including 
but not limited to: 


(a) Individual health 
conditions, status, diseases, 
or diagnoses; 

(b) Social, psychological, 
behavioral, and medical 
interventions; 

(c) Health-related surgeries 
or procedures; 

(d) Use or purchase of 
medication; 

(e) Bodily functions, vital 
signs, symptoms, or 
measurements of 

the information described in 
this subsection; 

(f) Diagnoses or diagnostic 


“Health care services or 
products” means any 
service or product provided 
to a person to assess, 
measure,improve or learn 
about the health of a 
person. The term includes, 
without limitation: 


1. Services relating to any 
health condition or status, 
disease or diagnosis; 

2. Social, psychological, 
behavioral or medical 
interventions; 

3. Surgeries or other 
health-related procedures; 
4. Medication or services 
related to the use or 
acquisition of medication; or 
5. Monitoring or 
measurement related to 
bodily functions, vital signs 
or symptoms. 


NAI Comparison: 


testing, treatment, or 
medication; 

(g) Reproductive health care 
services; or 

(h) Gender-affirming care 
services. 


(Sec. 3(15)) 


Opt-in consent required to 
“collect” or “share” consumer 
health data. 


“Valid authorization” required 
to “sell” consumer health 
data. Requires a consumer 
signature and expires after 
one year. 


"Sell" or "sale" means the 
exchange of consumer 
healthdata for monetary or 
other valuable consideration. 


"Sell" or "sale" does not 
include the exchange of 
consumer health data for 
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Opt-in consent required to 
“collect” or “share” 
consumer health data. 


“Valid authorization” 
required to “sell” consumer 
health data. Requires 
consumer signature and 
expires after one year. 


“Sell” means to exchange 
consumer health data for 
money or other valuable 
consideration. 


The term does not include 
the exchange of consumer 
health data for money or 
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Consumer consent required | NA 
to sell or offer to sell 
consumer health data. 


(Sec. 2(a)(1)(D)) 


“Sale” has the same 
meaning as the broader 
CTDPA (“"Sale of personal 
data" means the exchange 
of personal data 

for monetary or other 
valuable consideration by 
the controller to a third 
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monetary or other valuable 
consideration: 

(i) To a third party as an 
asset that is part of a merger, 
acquisition, bankruptcy, or 
other transaction in which the 
third party assumes control 
of all or part of the regulated 
entity's or the 

small business's assets that 
complies with the 
requirements and 
obligations in this chapter; or 
(ii) By a regulated entity or a 
small business to a 
processor when such 
exchange is consistent with 
the purpose for which the 
consumer health data was 
collected and disclosed to 
the consumer. 


(Sec. 3(26)) 
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other valuable 
consideration: 


1.With a processor ina 
manner consistent with 
the purpose for which the 
consumer health data was 
collected, as disclosed to 
the consumer to whom the 
consumer health data 
pertains 

pursuant to section 22 of 
this act. 


2.With a third party as an 
asset that is part of a 
merger, acquisition, 
bankruptcy or other 
transaction through which 
the third party assumes 
control of all or part of 
the assets of the 
regulated entity. 


3.With a third party for 
the purpose of providing 
a product or service 


CT 


party.”) 
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requested by the 
consumer to whom the 
consumer 

health data pertains. 


4.With an affiliate of the 
person who is providing or 
disclosing the consumer 
health data. 

5. As directed by the 
consumer to whom the 


consumer health 


data pertains or where 
the consumer to whom 
the consumer 

health data pertains 
intentionally uses the 
person who is providing 
or disclosing the 
consumer health data to 
interact with the third 
party to whom the 
consumer health data is 
provided or disclosed. 28 


6. Where the consumer has 
intentionally made the 
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“Valid authorization” to sell 
consumer health data must 
be written in plain language 
and include the following: 


(a) Specific consumer health 
data to be sold 

(b) name and contact 
information of the person 
selling the data 

(c) name and contact 
information of the person 
purchasing the data 

(d) description of the purpose 
of the sale, including how it 
will be gathered and used 
(e) a statement that the 
provision of goods or 
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consumer 
health data available to 
the general public through 
mass media 

that was not restricted to a 
specific audience. 


(Sec. 17) 


“Written Authorization” to 
sell consumer health data 
must be written in plain 
language and include the 
following: 


(a) The name and contact 
information of the person 
selling the data 

(b) description of the 
specific data to be sold 
(c) the name and contact 
information of the person 
purchasing the data 

(d) a description of the 
purpose of the sale, without 
limitation, the manner in 
which the data will be 
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services may not be 
conditioned on the consumer 
providing the authorization 
(f) statement that the 
consumer has the right to 
revoke the authorization, and 
instructions on how to do so 
(g) statement that the 
consumer health data sold 
may be subject to 
redisclosure by the 
purchaser and may no longer 
be protected by this section 
(h) expiration date of one 
year + consumer signature 
and date 


(Sec. 9(2)) 


It is unlawful for any person 
to 

implement a geofence 
around an entity that 
provides in-person health 
care services where such 
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collected, and how it will be 


used by the purchaser 
(e) statement that the 
regulated entity may not 
condition the provision of 
goods or services on a 
consumer authorizing the 
sale of the data 

(f) statement that the 


consumer may revoke the 


authorization, and a 


description of how to do so 


(g) statement of potential 
redisclosure of the data 
(h) the date of expiration 
(one year) and 

(i) signature of the 
consumer 


(Sec. 30(3)) 


A person shall not 
implement a geofence 
within 1,750 feet of any 
medical facility, facility for 
the dependent or any 
other person or entity that 
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“It shall be unlawful for 
any person,corporation, 
partnership, or 
association to establish a 
geofence or similar virtual 
boundary around any 


No person shall use a 
geofence to establish a 
virtual boundary that is 
within one thousand seven 
hundred fifty feet of any 
mental health facility or 
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geofence is used to: 


(1) Identify or track 
consumers seeking health 
care services; 

(2) collect consumer health 
data from consumers; or 
(3) send notifications, 
messages, or 
advertisements to 
consumers related to their 
consumer health data or 
health care services. (Sec. 
10). 
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provides in-person health 
care services 

or products for the purpose 
of: 


(a) Identifying or tracking 
consumers seeking 
in-person health 

care services or products; 
(b) Collecting consumer 
health data; or 

(c) Sending notifications, 
messages or 
advertisements to 


consumers related to their 


consumer health data or 
health care 
services or products. 


(Sec. 31(1)) 
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reproductive or sexual 
health facility for the 
purpose of identifying, 
tracking, collecting data 
from or sending any 
notification to a consumer 
regarding the consumer's 
consumer health 

Data. 


(Sec. 2(a)(1)(C)) 


health care facility, other 
than their own health care 
facility, as defined 
pursuant to paragraph c 
of subdivision one of this 
section, for the purpose of 
delivering by electronic 
means a digital 
advertisement to a user, 
for the purpose of 
building consumer 
profiles, or to infer 
health status, medical 
condition, or medical 
treatment of any person 
at or within such health 
care facility, and it shall be 
unlawful for any person, 
corporation, partnership, 
or association to deliver 
by electronic means any 
digital advertisement to 
a user at or within any 
such health care facility, 
other than their own 
health care facility, 
through the use of 


NAI Comparison: 


"Geofence" means 
technology that uses global 
positioning coordinates, cell 
tower connectivity, cellular 
data, radio frequency 
identification, Wifi data, 
and/or any other form of 
spatial or 

location detection to 
establish a virtual boundary 
around a specific 

physical location, or to locate 
a consumer within a virtual 
boundary. 

For purposes of this 
definition, "geofence" means 
a virtual boundary 

that is 2,000 feet or less from 
the perimeter of the physical 
location. 
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“Geofence” means 
technology that uses 
coordinates for 

global positioning, 
connectivity to cellular 
towers, cellular data, 
radio frequency 
identification, wireless 
Internet data or any other 
form of detecting the 
physical location of a 
person to establish a 
virtual boundary with a 
radius of 1.750 feet or 
less around a 

specific physical location. 


(Sec. 31(2)(b)) 
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"Geofence" means any 
technology that uses global 
positioning 

coordinates, cell tower 
connectivity, cellular data, 
radio frequency 
identification, wireless 
fidelity technology data or 
any other form of 

location detection, or any 
combination of such 
coordinates, connectivity, 
data, identification or other 
form of location detection, 
to establish a 

virtual boundary. 


(Sec. 1(a)(19)) 


geofencing or similar 
virtual boundary. 


(Sec. 2(2)) 


"Geofencing" means a 
technology that uses 
global positioning system 
coordinates, cell tower 
connectivity, cellular 
data, radio frequency 
identification, Wi-Fi data 
and/or any other form of 
location detection, to 
establish a virtual 
boundary of 1,850 feet 
radius or less or 
"geofence" around a 
particular location that 
allows a digital 
advertiser to track the 
location of an individual 
user and electronically 
deliver targeted digital 
advertisements 

directly to such user's 
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NA — prohibition applies to 
any entity that provides in 
person health care services 


NV 


“Medical facility” includes: 
1.A surgical center for 
ambulatory patients; 


CT 


"Mental health facility" 
means any health care 
facility in which at 


mobile device upon such 
user's entry into the 
geofenced area. This 
shall also include the 
process of identifying 
whether a device enters, 
exits, or is present within 
a geographic area 
through the use of any 
information stored, 
transmitted, or received 
by the device, including 
but not limited to latitude, 
longitude, internet 
protocol address, 
wireless internet access 
information, cell tower 
connectivity, device 
identification information 
and/or other forms of 
location data. 


(Sec. 2(1)(b)) 


"Health care facility" 
means any governmental 
or private entity that 
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(See definition of health care 
services) 


NV 


2.A freestanding birthing 
center; 


3.An independent center for 


emergency medical care; 
4.An agency to provide 
nursing in the home; 

5.A facility for intermediate 
care; 

6.A facility for skilled 
nursing; 

7.A facility for hospice care; 
8.A hospital; 

9.A psychiatric hospital; 
10.A facility for the 
treatment of irreversible 
renal disease; 

11.A rural clinic; 

12.A nursing pool; 

13.A facility for modified 
medical detoxification; 
14.A facility for refractive 
surgery; 

15.A mobile unit; and 
16.A community triage 
center. 


(As defined in NRS 
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least seventy per cent of 
the health care services 
provided in such facility 


are mental health services. 


(Sec. 1(23)) 


"Reproductive or sexual 
health facility" means any 
health care 

facility in which at least 
seventy per cent of the 
health care-related 
services or products 
rendered or provided in 
such facility are 
reproductive or sexual 
health care. 


(Sec. 1(36)) 


provides medical care or 
related services, including 
but not limited to, those 
who provide such care 
pursuant to article 
twenty-eight of 

the public health law or 
licensed under article 
thirty-one, thirty-two or 
sixteen of the mental 
hygiene law, including the 
building or structure in 
which the facility is 
located. 


(Sec. 2(c)) 
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A violation of the law is an 
unfair or deceptive trade 
practice, and provides a 
private right of action through 
the State’s Consumer 
Protection Act. Consumers 
must still show injury and 
causation. 


The statute also provides for 
Attorney General 
enforcement. 


A violation of the law 
constitutes a deceptive 
trade practice for purposes 
of the State’s consumer 
protection law, but does not 
provide a private right of 
action. 


Attorney General 
enforcement provided. 


A violation of this 
subsection constitutes a 
violation of the CTDPA. No 
private right of action. 


